> ## Documentation Index
> Fetch the complete documentation index at: https://docs.alterscope.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to create, send, rotate, and revoke Alterscope API keys.

Every request to the Alterscope Developer API authenticates with an API key. Keys are issued in the [Developer Portal](https://app.alterscope.org/connections) under your organization's API Keys settings, and are prefixed `sk_live_`.

<Warning>
  Treat an API key like a password. Store it in an environment variable or a secrets manager, never in source control or client-side code. The key carries your organization's scopes and quota.
</Warning>

## Sending the key

Send the key as a bearer token in the `Authorization` header:

```http theme={null}
Authorization: Bearer sk_live_xxx
```

This is the only form that authenticates an HTTP request. Browser WebSocket clients, which cannot set custom headers, pass the key via the `?token=` query parameter on connect instead — that is the only other accepted form.

<Snippet file="base-url.mdx" />

## Rotation and revocation

Create a new key in the Developer Portal before retiring an old one, switch your application to the new key, then revoke the old key. A revoked or expired key fails closed: requests return `401` with an error `code` of `revoked_key` or `expired_key`. See [Errors](/develop/get-started/errors) for the full status mapping.

## What a key can access

A key carries a set of [scopes](/develop/get-started/scopes) (what it may call) and is bound to a plan [tier](/develop/get-started/rate-limits) (how much and how often). A request that lacks the required scope returns `403` with `code` `insufficient_scope`. Org admins can mint keys with a subset of scopes using a key that holds `admin:keys`.

## Next steps

<CardGroup cols={2}>
  <Card title="Scopes" icon="list-check" href="/develop/get-started/scopes">
    The permissions a key can hold.
  </Card>

  <Card title="Rate limits" icon="gauge-high" href="/develop/get-started/rate-limits">
    Per-tier request and quota limits.
  </Card>
</CardGroup>
